"Do not get involved, kill!" Or the whole truth about the safety of automated process control systems. Part 2
Somewhere due to an independent initiative of the organization, somewhere due to the active actions of the state in terms of regulating the protection of the automated process control systems and in general the critical infrastructures of the Russian Federation, most companies currently have at least one of the processes running:
Regardless of the movement in these stages, measures may be taken on the side of the Customer, which allow to increase the security slightly and at the same time do not require large expenditures. For example, setting up and using authentication where it is provided, but not used, and where its use will not affect the workflow.
One of such steps may also be the coverage of production and technological networks with passive monitoring.
')
First of all, we are talking about monitoring the segments of interfacing corporate and technological networks, complementing the monitoring of corporate infrastructure.
Further, as far as possible and availability, the customer carries out monitoring at the top level of the process control system - for operator, dispatching and engineering workstations, industrial SCADA servers with system-wide and applied software installed on them, as well as the corresponding network telecommunication equipment (switches, routers, internetworking) screens, etc.).
In conjunction with monitoring the corporate network and the perimeter of the organization, no matter how vague it may be, these actions make it possible to identify problems in a timely manner and, as a result, increase the level of security of the process control system. By detecting atomic incidents in the corporate network, for example, compromising the final host with 0-day malware or elevating privileges in the domain network, we see a potential attacker even before his movement and penetration into the automated process control system. And in fact, we prevent possible penetrations and incidents in technological segments due to timely response on the side of the Customer.
At the same time, any malicious bundles in the network interfacing segment and in the process control system are under similar control. As an example, atomic incidents of border configuration / segmentation equipment configuration changes, any incidents on the host from which the corresponding changes are made, or on the host for which the configuration changes, indicate a potential access violation and potential malicious actions directed at the process control system.
The situation is somewhat different with the lower levels of the process control system. For example, programmable logic controllers and other hardware with installed software, receiving data from the lower level, transmitting data to the upper level and forming control commands, potentially also act as event sources for the monitoring center.
Integration with them is quite a difficult task, but doable. However, when diving to lower levels, there is always a need for deep elaboration of absolutely individual monitoring and analysis scenarios. And at the same time, in each specific case, one should proceed from the peculiarities of the technological process, the specific and justified needs of the Customer and the corresponding possibilities of using SIEM. As a result, often on the side of the Customer it is advisable to use specialized tools and solutions that provide access to relevant information from middle and lower level devices without working with them directly.
It should be said that now the market has a number of offers of information protection tools for the automated process control system segments. Both from vendors of industrial control systems, and from vendors of various IT and IB products. Regardless of the type and purpose of these funds, the requirement to register de facto events is mandatory for them. As a consequence, any of the possible remedies becomes an additional source for receiving and correlating events in the monitoring center.
Of course, monitoring and detection alone is not enough, and it in no way replaces and solves all the tasks of providing information security systems for automated process control systems, being a necessary but not sufficient condition for providing information security systems in process automation systems.
Approach to the safety of the automated process control system is a simplified block diagram of possible movement.
In the case of expanding the monitoring service at the automated process control system, we fall into one of the above-mentioned ongoing activities on the side of the Customer, but none of them is an obstacle to performing the tasks of operational monitoring and detection of information security incidents.
So, for example, each of the possible interfacing schemes of corporate and technological networks (see the first part of the article ), including well-developed complex interfacing and segmentation schemes, allows obtaining information from closed production and technological segments. In this case, there is no risk of interruption of any of the services and processes within the respective closed segments, and there is no impact on the availability or integrity of the data.
As an example, below is a possible scheme for connecting a closed segment to the monitoring. And although it is far from ideal, at the same time, it allows the Customer to receive the required level of service and results right now, without waiting for the completion of the design and operation of the created interfaces and protection systems.
So in the first approximation, the initial stage of a possible practical approach to the provision of information security in an automated process control system looks like. To a greater extent, it concerns the rapid provision of basic hygiene of information security in the issues of interfacing and building infrastructures for automated process control systems. However, neither this approach, nor our articles on such a complex topic as information security in an automated process control system do not end there. And in the future we plan to continue this cycle of publications with more practical examples and solved problems.
- Analysis of the current cut of the state of information security in the process control system (audit).
- Design and construction of appropriate protection systems for process control systems.
- Or, in addition to this, building or upgrading the process control systems themselves, taking into account the relevant safety requirements.
Regardless of the movement in these stages, measures may be taken on the side of the Customer, which allow to increase the security slightly and at the same time do not require large expenditures. For example, setting up and using authentication where it is provided, but not used, and where its use will not affect the workflow.
One of such steps may also be the coverage of production and technological networks with passive monitoring.
')
First of all, we are talking about monitoring the segments of interfacing corporate and technological networks, complementing the monitoring of corporate infrastructure.
Further, as far as possible and availability, the customer carries out monitoring at the top level of the process control system - for operator, dispatching and engineering workstations, industrial SCADA servers with system-wide and applied software installed on them, as well as the corresponding network telecommunication equipment (switches, routers, internetworking) screens, etc.).
In conjunction with monitoring the corporate network and the perimeter of the organization, no matter how vague it may be, these actions make it possible to identify problems in a timely manner and, as a result, increase the level of security of the process control system. By detecting atomic incidents in the corporate network, for example, compromising the final host with 0-day malware or elevating privileges in the domain network, we see a potential attacker even before his movement and penetration into the automated process control system. And in fact, we prevent possible penetrations and incidents in technological segments due to timely response on the side of the Customer.
An example of an incident in the process control system segment
Hackers managed to disable the blast furnace in Germany via the Internet
According to the Federal Bureau of Information Technology Security of the Federal Republic of Germany, attackers gained access to the control panels of the stoves due to a phishing attack.
At the beginning of the attack, they sent out infected emails to the factory's office workers who did not participate in the production process. By infecting the work computers located in the corporate network, the hackers were later able to infiltrate the system of the control panels of the plant with which the automated kiln line was controlled.
As specified by German officials, the hacking was not a one-time. The attack was a series of individual penetrations into the plant systems, one of which eventually led to the failure of the furnace shutdown mechanism.
The attack led to an incident in which one of the furnaces could not be turned off in the usual way. As a result, the furnace began to be displayed in the system as having an “undefined state”. This led to significant damage throughout the production.
(From the report of the Federal Bureau of Information Technology Security of Germany).
Source of Translation .
Judging by his analysis, such penetration could have been caught in the corporate network more than once before the intruders entered the technological network and had access to the technological equipment.
According to the Federal Bureau of Information Technology Security of the Federal Republic of Germany, attackers gained access to the control panels of the stoves due to a phishing attack.
At the beginning of the attack, they sent out infected emails to the factory's office workers who did not participate in the production process. By infecting the work computers located in the corporate network, the hackers were later able to infiltrate the system of the control panels of the plant with which the automated kiln line was controlled.
As specified by German officials, the hacking was not a one-time. The attack was a series of individual penetrations into the plant systems, one of which eventually led to the failure of the furnace shutdown mechanism.
The attack led to an incident in which one of the furnaces could not be turned off in the usual way. As a result, the furnace began to be displayed in the system as having an “undefined state”. This led to significant damage throughout the production.
(From the report of the Federal Bureau of Information Technology Security of Germany).
Source of Translation .
Judging by his analysis, such penetration could have been caught in the corporate network more than once before the intruders entered the technological network and had access to the technological equipment.
At the same time, any malicious bundles in the network interfacing segment and in the process control system are under similar control. As an example, atomic incidents of border configuration / segmentation equipment configuration changes, any incidents on the host from which the corresponding changes are made, or on the host for which the configuration changes, indicate a potential access violation and potential malicious actions directed at the process control system.
The situation is somewhat different with the lower levels of the process control system. For example, programmable logic controllers and other hardware with installed software, receiving data from the lower level, transmitting data to the upper level and forming control commands, potentially also act as event sources for the monitoring center.
Integration with them is quite a difficult task, but doable. However, when diving to lower levels, there is always a need for deep elaboration of absolutely individual monitoring and analysis scenarios. And at the same time, in each specific case, one should proceed from the peculiarities of the technological process, the specific and justified needs of the Customer and the corresponding possibilities of using SIEM. As a result, often on the side of the Customer it is advisable to use specialized tools and solutions that provide access to relevant information from middle and lower level devices without working with them directly.
It should be said that now the market has a number of offers of information protection tools for the automated process control system segments. Both from vendors of industrial control systems, and from vendors of various IT and IB products. Regardless of the type and purpose of these funds, the requirement to register de facto events is mandatory for them. As a consequence, any of the possible remedies becomes an additional source for receiving and correlating events in the monitoring center.
Of course, monitoring and detection alone is not enough, and it in no way replaces and solves all the tasks of providing information security systems for automated process control systems, being a necessary but not sufficient condition for providing information security systems in process automation systems.
Approach to the safety of the automated process control system is a simplified block diagram of possible movement.
In the case of expanding the monitoring service at the automated process control system, we fall into one of the above-mentioned ongoing activities on the side of the Customer, but none of them is an obstacle to performing the tasks of operational monitoring and detection of information security incidents.
So, for example, each of the possible interfacing schemes of corporate and technological networks (see the first part of the article ), including well-developed complex interfacing and segmentation schemes, allows obtaining information from closed production and technological segments. In this case, there is no risk of interruption of any of the services and processes within the respective closed segments, and there is no impact on the availability or integrity of the data.
As an example, below is a possible scheme for connecting a closed segment to the monitoring. And although it is far from ideal, at the same time, it allows the Customer to receive the required level of service and results right now, without waiting for the completion of the design and operation of the created interfaces and protection systems.
So in the first approximation, the initial stage of a possible practical approach to the provision of information security in an automated process control system looks like. To a greater extent, it concerns the rapid provision of basic hygiene of information security in the issues of interfacing and building infrastructures for automated process control systems. However, neither this approach, nor our articles on such a complex topic as information security in an automated process control system do not end there. And in the future we plan to continue this cycle of publications with more practical examples and solved problems.
Source: https://habr.com/ru/post/349962/
All Articles